United States Court of Appeals, District of Columbia Circuit
Chantal Attias, individually and on behalf of all others similarly situated, et al., Appellants
CareFirst, Inc., doing business as Group Hospitalization and Medical Services, Inc., doing business as CareFirst of Maryland, Inc., doing business as CareFirst BlueCross BlueShield, doing business as CareFirst BlueChoice, Inc., et al., Appellees
March 31, 2017
from the United States District Court for the District of
Columbia (No. 1:15-cv-00882)
Jonathan B. Nace argued the cause for appellants. With him on
the briefs was Christopher T. Nace.
Rotenberg and Alan Butler were on the brief for amicus curiae
Electronic Privacy Information Center (EPIC) in support of
D. Rezvani was on the brief for amicus curiae National
Consumers League in support of appellants.
Matthew O. Gatewood argued the cause for appellees. With him
on the briefs was Robert D. Owen.
J. Pincus, Stephen C.N. Lilley, Kathryn Comerford Todd,
Steven P. Lehotsky, and Warren Postman were on the brief for
amicus curiae The Chamber of Commerce of the United States of
America in support of appellees.
Before: Tatel, Griffith, and Millett, Circuit Judges.
GRIFFITH, CIRCUIT JUDGE
2014, health insurer CareFirst suffered a cyberattack in
which its customers' personal information was allegedly
stolen. A group of CareFirst customers attributed the breach
to the company's carelessness and brought a putative
class action. The district court dismissed for lack of
standing, finding the risk of future injury to the plaintiffs
too speculative to establish injury in fact. We conclude that
the district court gave the complaint an unduly narrow
reading. Plaintiffs have cleared the low bar to establish
their standing at the pleading stage. We accordingly reverse.
and its subsidiaries are a group of health insurance
companies serving approximately one million customers in the
District of Columbia, Maryland, and Virginia. When customers
purchased CareFirst's insurance policies, they provided
personal information to the company, including their names,
birthdates, email addresses, social security numbers, and
credit card information. CareFirst then assigned each
customer a subscriber identification number. The companies
stored this information on their servers. Allegedly, though,
CareFirst failed to properly encrypt some of the data
entrusted to its care.
2014, an unknown intruder breached twenty-two CareFirst
computers and reached a database containing its
customers' personal information. CareFirst did not
discover the breach until April 2015 and only notified its
customers in May 2015. Shortly after the announcement, seven
CareFirst customers brought a class action against CareFirst
and its subsidiaries in our district court. Their complaint
invoked diversity jurisdiction under the Class Action
Fairness Act, 28 U.S.C. § 1332(d), and raised eleven
different state-law causes of action, including breach of
contract, negligence, and violation of various state
parties disagree over what the complaint alleged. According
to CareFirst, the complaint alleged only the exposure of
limited identifying data, such as customer names, addresses,
and subscriber ID numbers. According to plaintiffs, the
complaint also alleged the theft of customers' social
security numbers. The plaintiffs sought to certify a class
consisting of all CareFirst customers residing in the
District of Columbia, Maryland, and Virginia whose personal
information had been hacked. CareFirst moved to dismiss for
lack of Article III standing and, in the alternative, for
failure to state a claim.
district court agreed that the plaintiffs lacked standing,
holding that they had alleged neither a present injury nor a
high enough likelihood of future injury. The plaintiffs had
argued that they suffered an increased risk of identity theft
as a result of the data breach, but the district court found
this theory of injury to be too speculative. The district
court did not read the complaint to allege the theft of
social security numbers or credit card numbers, and concluded
that "[p]laintiffs have not suggested, let alone
demonstrated, how the CareFirst hackers could steal ...